[hulu http://www.hulu.com/watch/306513 thumbnail_frame=15]
Earlier this month, the World Wide Web Consortium (W3C) met face-to-face in California to discuss Do Not Track standards, and there’s a lot of concern about whether the group will to meet their self-imposed July deadline. Do Not Track has been getting attention from the media again after the recent re-introduction of the legislation, mostly focused on the controversy it provokes, whether it’s necessary given the upcoming browser modifications, or how unlikely it is to pass Congress. In fact, I will be participating in a panel hosted by the Congressional Internet Caucus titled “Enabling Do Not Track Privacy: Is It Dead or Alive?“, which will be broadcast on CSPAN today. (Watch it here.)
The conversation about tracking isn’t new. Exactly thirteen years ago the very same set of stakeholders were debating the very same set of issues: privacy, 3rd party cookies, and what tracking defaults should be. In fact, if you didn’t notice the date of the article (07/21/2000), you might confuse it for breaking news. Many of the players cited in that article are the same you’d see quoted today (here’s looking at you Microsoft, Doubleclick, Mozilla (Netscape), National Advertising Initiative, and EPIC), and we seem no closer to developing comprehensive standards for online tracking than we were 13 years ago. It can get discouraging.
However, as one of the original architects of Do Not Track (DNT), I still believe it’s an important component of the online privacy debate. While it doesn’t solve all online privacy issues, it is a necessary piece of a thriving and sustainable online advertising ecosystem. Its goal, originally, was to bring the issue of ‘hidden online tracking’ to the forefront, allowing consumers to make an informed decision about who receives information about their behaviors online. To understand the motivation behind DNT (and why it’s necessary even with privacy tools and cookie blockers), it’s important to understand the backdrop of its inception as a response to broken consumer choice environment.
The existing consumer privacy choice mechanisms is that they rely on the consumer knowing that they’re being tracked, and that opt-outs exist. However, even if users did know about this option, the opt-out tools developed by the advertising industry are often weak to the point of irrelevance. For example, the consumer opt out offered by the Network Advertising Initiative (NAI) only applies to companies that are part of that network (a very small subset of the tracking ecosystem — NAI lists 93 companies …Evidon lists 1300). Additionally, many of these DNT mechanisms are themselves cookie based–so when consumers clear their cookies (which is not a bad practice) they also clear out any previously installed “opt-out” cookies. In previous iterations of ad-industry sponsored opt-out systems, some of these DNT cookies had unreasonably short expiration dates, forcing consumers to re-install on a regular basis to remain opted-out. The FTC even brought action against one company for this behavior. Finally, most of the opts outs didn’t allow for users to stop tracking, but only to stop the from receiving targeted ads.
Finally, even if a user is informed enough to opt-out of cookie-based tracking, companies often implement persistent tracking mechanisms (like Flash and HTML5 based storage) that cirvumvent consumer choice (the focus of quite a bit of my previous work). Much of my research has demonstrated the proliferationof third party tracking and the lack of consumer transparency and control, issues not addressed by currently available opt-out measures.
Do Not Track was originally intended to be a simple choice mechanism that allowed consumers to express their preferences with regards to all third party tracking, regardless of the technical mechanism, in an attempt to fix these issues.
Many argue that we should rely on browsers (and their respective plug-in/add-on markets) to provide tools that allow consumers to manage tracking through privacy settings. Although browsers have taken steps in that direction (Safari and Microsoft), Mozilla’s record on this issue is a good example of why this approach won’t result in comprehensive DNT options for users. In 2010 the company unveiled a powerful tool that would have prevented third-party cookies on the browser and, shortly after that, killed the project. The same cycle seems to be repeating itself as the browser company announced support for a similar feature that it is now potentially backpedaling. It’s not clear why this effort died–whether it was pressure from the ad-industry or, as Mozilla pointed out, a result of the fact that this wouldn’t prevent other kinds of tracking and might accelerate the arms race without providing any real benefit to users. It is clear from this example that it’s not as easy as pointing to the browsers and saying “fix this,” though encouraging browsers to compete for market share on privacy features should be encouraged.
Most of the underlying principles in the DNT discussion simply continue the debate we started 13 years ago. We are stuck on the same issues we were right as the W3C was getting started: what should defaults be, what is “permitted use,” and what does “consent” look like. We had an opportunity to fix it back then and didn’t, now we’ve got another shot.
First, let’s consider the critical issues of what the default settings should be and what constitutes consent? Most DNT proposals still rely on consumers opting out of tracking– which is “on” by default. If we believe that consumer choice is important, which the ad industry says it does, there should be a moment when the user has to decide one way or another.
Many consumers will not take the steps necessary to opt-out, they will just maintain the default settings of their browser of choice. Browsers are often believed to best represent the needs and wants of the user–in the technical community they’re referred to as the ‘User-Agent.’ While there are differences in opinion among browser companies about what users want with regards to privacy (browsers with business models that rely on advertising argue users want to be tracked), a reasonable way to find out would be to ask the user what they want on first boot. This is what microsoft has been convinced to do, starting with IE10. Engaging the user in the decision process can help them understand the value they’re adding to the market (if they participate in advertising) by providing their data and eyeballs to advertisers in exchange for content (something the ad industry is keen to foster).
Addressing the question of default settings will implicitly address another fundamental problem: what constitutes consent? Often, even if a user has made a deliberate choice not to be tracked, the browser overrides that decision and continues tracking, but stops delivering targeted ads. There is a reason for this behavior–the ad-economy is based on “unique viewers” and the best way to calculate that is to track users. Neither advertisers nor publishers seem eager to develop a new method of calculating fees for adds, so this practice persists. In fact, the current draft from W3C provides exemptions for companies to collect information for “permitted uses” such as security and marketing. This is clearly not in the spirit of Do Not Track or supporting consumer choice. In fact, it is even more suspect because now these users have less information about how their data is being used. At least when you are receiving targeting ads you might have some sense of how your online behavior is reflected.
In order to achieve comprehensive DNT standards, we need to be clear about our goals for this process. DNT started as a technical process in a standards body (ie geeks), and has to a working group consisting of mostly ad companies posturing about what they’ll tolerate. What reasonable expectations of privacy should users be able to expect? We should develop a policy centered around notice and choice, but we need to decide how much information do we want invisible third parties to be able to collect. Most importantly, we need to stop beating around the bush and address the three outstanding topics that have been contentious from the start: (defaults, exemptions and consent). What is the right balance to preserve privacy and decelerate the arms race? Answering that question will dictate what exemptions we allow, what the defaults should be, and how hard it should be to opt-in/out.
I’m not saying that DNT is the only answer–it is only one piece of a complex tracking puzzle–and it won’t fully address the arms race problems. We also need technical solutions, like de-identification, to limit user exposure in the event of breach (even for the permitted uses) and technical countermeasures (like Safari’s recent patches) to address the players that don’t follow the standards set out in DNT. However, having a standard policy on tracking simplifies the signal-to-noise problem for the technical countermeasures, much like CAN-SPAM did for SPAM detection. As I’ve said many times, we need technology and policy working together, and while DNT is a significant part of the policy piece, it is not a technical standard.
Despite these challenges, I see the DNT dialogue as an opportunity to develop better standards for data collection generally. Third party data collection is often inaccurate, and involving the user in the process directly would generate higher-quality data and address DNT concerns. A user actively participating in the data-collection process is engaged in the system, and not surreptitiously being tracked by a market built on high data volume and good-guessing.
Ashkan Soltani 
.